Iptables Tutorial – Securing Ubuntu VPS with Linux Firewall

Introduction

Iptables Linux firewall is used to monitor incoming and outgoing traffic to a server and filter it based on user-defined rules to prevent anyone from accessing the system. Using Iptables you can define rules which will allow only selective traffic on your server. In this Iptables tutorial, you will learn how to secure your web application using Iptables.

Note: For RHEL/ CentOS users there is a service named firewallD which is already installed on these operating systems. If you want to use Iptables, you have to disable it first.

Iptables Basics

All data is sent in the form packets over the internet. Linux kernel provides an interface to filter both incoming and outgoing traffic packets using tables of packet filters. Iptables is a command line application and a Linux firewall that you can use to set-up, maintain and inspect these tables. Multiple tables can be defined. Each table can contain multiple chains. A chain is nothing but a set of rules. Each rule defines what to do with the packet if it matches with that packet. When the packet is matched, it is given a TARGET. A target can be another chain to match with or one of the following special values:

ACCEPT: It means the packet will be allowed to pass through.

DROP: It means that packet will not be allowed to pass through.

RETURN: It means to skip the current chain and go back to the next rule from the chain it was called in.

For the scope of this iptables tutorial, we are going to work with one of the default tables called filter. Filters table has three chains ( sets of rules).

INPUT – This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.

FORWARD – This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.

OUTPUT – This chain is used to filter packets that are going out from your server.

Step 1 – Installing Iptables Linux Firewall

1. Installing Iptables

Iptables comes pre-installed in almost all of the Linux distributions. But if you don’t have it installed on Ubuntu/Debian system use:

sudo apt-get update
sudo apt-get install iptables

2. Checking current Iptables status

With this command, you can check the status of your current Iptables configuration. Here -L option is used to list all the rules and -v option is for a more tedious list. Please note that these options are case sensitive.

Here -A stands for append. The chain refers to the chain we want to append our rules. The interface is the network interface on which you want to filter the traffic. The protocol refers to the networking protocol of packets you want to filter. You can also specify the port,no of the port on which you want to filter the traffic.

For more detailed info about Iptables command and its options, you can check Iptables main page.

1. Enabling traffic on localhost

We want all communications between applications and databases on the server to continue as usual.

Here -A option is used to append the rule to the INPUT chain, accept all connections on lo interface. lo means loopback interface. It is used for all the communications on the localhost, like communications between a database and a web application on the same machine.

2. Enabling connections on HTTP, SSH, and SSL port

We want our regular HTTP (port 80), https (port 443), ssh (port 22) connections to continue as usual. Enter the following commands to enable them. In the following commands, we have specified protocol with -p option and the corresponding port for each protocol with –dport (destination port) option.

To delete a rule specify the number in the list and the chain of the rule. In our case INPUT chain and number 3.

sudo iptables -D INPUT 3

Step 3 – Persisting changes

Iptables rules we have created are saved in memory. That means we have to redefine them on reboot. To make these changes persistent after reboot, use the following command on Ubuntu/Debian systems:

sudo /sbin/iptables-save

This command saves current rules to system configuration file which is used to reconfigure the tables at the time of reboot. You should run this command everytime you make changes to the rules. To disable this firewall simply flush all the rules and make the changes persistent.

sudo iptables -F
sudo /sbin/iptables-save

Conclusion

In this Iptables tutorial, we have used Iptables Linux firewall to only allow traffic on specific ports. We have also made sure that our rules will be saved after reboot. This Linux firewall will drop unwanted packets, but there is a caveat here that Iptables can govern only ipv4 traffic. If your VPS box has enabled ipv6 networking you have to set different rules for that traffic with ip6tables.